Heartbleed will haunt the Internet for years

From the instant news of the Heartbleed bug hit the Internet earlier this month, system administrators scrambled to fix a hole in their security that could have allowed hackers to access their encrypted information for years. While most major websites patched their systems almost immediately, there’s a good chance many smaller sites may never take similar measures.

In other words, the vulnerabilities created by Heartbleed may plague the Internet for years to come. Maybe forever.

Independently identified by researchers at Google and online security firm Codenomicon only a few days apart, Heartbleed is a bug contained in approximately 10 lines of poorly written code in the open-source encryption tool OpenSLL. The bug, which was introduced in a 2012 update to OpenSLL, allows attackers to grab encrypted information as it passes between a website and its users. If employed repeatedly, someone could utilize Heartbleed to learn the entire private encryption a website uses to keep its information safe. In that case, not only could a hacker gain access to every single piece of information sent to a site, but he or she could create fake versions of the site designed to steal users’ passwords or credit card numbers.

The worst part of it is that attacks that exploit Heartbleed are essentially undetectable, meaning there’s no way to tell if a website has been compromised.

As a result, it’s little surprise that a litany of sites moved as fast as they could to update their versions of OpenSSL to one patched with a fix. However, since up to two-thirds of the websites on the Internet use OpenSSL and were potentially vulnerable, it’s virtually guaranteed that some some smaller sites (operations without 24/7 security teams of companies like Google or Facebook) may take far longer to update their security—if they even do so at all.

“There are a lot of servers out there, so it’s guaranteed that some went unpatched,” Andrew Sudbury, chief technical officer of Boston-based online privacy company Abine, tells the Daily Dot.

Sudbury notes that the process for inoculating a site against Heartbleed isn’t particularly difficult—it’s just a matter of upgrading the software package, restarting everything, and then switching out potentially compromised private encryption keys for new ones. “It’s not that hard to do,” he said, ?but it can take some time.”

He added that there’s a long history of hackers taking advantage of bug long after they’ve been made public and patches have been released.

In a study of the attacks conducted using a so-called Phf exploit to access supposedly secure Web servers during the mid-1990s, the number of attacks per month increased for a year after the bug was first identified and patched. In fact, system administrators were still reporting a high volume of incidents two years after problem was reportedly fixed.

Additionally, Sudbury notes, the speed at which scripted attacks occur after a bug is first revealed has increased in recent years. Now that news of Heartbleed has been made public, it’s possible that attackers have set up automated programs to systemically try website after website for their vulnerability to Heartbleed. If there are any sites where Heartbleed can be used to gain access, there’s a good chance that some hacker will eventually find his or her way in.

Even if someone’s data is only compromised on a single site, and that site doesn’t contain particulalry sensitive data like a credit card or Social Security number, that single weak link could end up doing serious damage—especially if someone employs a single password for everything. Armed with just one password and email address, it’s often possible for a dedicated attacker to gain access to a whole litany of different accounts.

Ironically, sites that have been extremely lax about patching their security tools are actually protected from Heartbleed. Since the bug was introduced in March of 2012, any site that hasn’t updated their software since then is technically safe.

While a successful Heartbleed attack is undetectable, that doesn’t mean there’s nothing users can do to protect themselves. There’s a website where people check if a site they’re using has patched itself against Heartbleed. There are also browser extensions for Firefox and Chrome that check a site’s protection against Heartbleed automatically.

Other ways for people to keep themselves safe against Heartbleed is to enable two-factor authentication whenever possible and to update all of their passwords, ensuring that those passwords are never reused and are as strong as possible.

Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.